CVE-2024-51751 — MEDIUM (CVSS 6.5) AI Security Vulnerability

Q: Is CVE-2024-51751 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-51751, increasing the risk of exploitation.

Q: How to fix CVE-2024-51751?

1) Upgrade to Gradio 5.5.0 — the only available fix, no workarounds exist per the advisory. 2) If upgrade is delayed, restrict network access via firewall rules to trusted IP ranges only. 3) Treat any Gradio instance with untrusted user access as potentially compromised — audit access logs for anomalous file requests via upload endpoints. 4) Rotate all credentials (API keys, tokens, DB passwords) accessible on affected servers. 5) Inventory all internal Gradio deployments; shadow IT ML demos are a common blind spot.

Q: What systems are affected by CVE-2024-51751?

This vulnerability affects the following AI/ML architecture patterns: ML demo environments, model serving, internal ML tooling, RAG pipelines.

Q: What is the CVSS score for CVE-2024-51751?

CVE-2024-51751 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.27%.

CISO Take

Any authenticated user of a Gradio deployment (versions 5.0.0–5.4.x) can read arbitrary files from the server filesystem via the File or UploadButton components. In AI/ML environments this typically means API keys, .env files, and model configs are at risk. Upgrade to 5.5.0 immediately — no workarounds exist.

Risk Assessment

CVSS 6.5 Medium understates practical risk in AI/ML environments. Gradio servers routinely run with broad filesystem access alongside sensitive assets: Hugging Face tokens, OpenAI API keys, cloud credentials, and training data. The attack requires only low privilege (any authenticated user) and zero user interaction, making it trivially exploitable by any application user. EPSS of 0.26% reflects limited observed exploitation, but the minimal exploit barrier warrants prompt remediation, especially for public-facing or multi-tenant deployments.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
gradio	pip	—	No patch
42.5K OpenSSF 5.6 674 dependents Pushed 8d ago 27% patched ~110d to patch Full package profile →
gradio	pip	>= 5.0.0, < 5.5.0	`5.5.0`
42.5K OpenSSF 5.6 674 dependents Pushed 8d ago 27% patched ~110d to patch Full package profile →

Severity & Risk

CVSS 3.1

6.5 / 10

EPSS

0.3%

chance of exploitation in 30 days

Higher than 51% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I None

A None

Recommended Action

1 step

1) Upgrade to Gradio 5.5.0 — the only available fix, no workarounds exist per the advisory. 2) If upgrade is delayed, restrict network access via firewall rules to trusted IP ranges only. 3) Treat any Gradio instance with untrusted user access as potentially compromised — audit access logs for anomalous file requests via upload endpoints. 4) Rotate all credentials (API keys, tokens, DB passwords) accessible on affected servers. 5) Inventory all internal Gradio deployments; shadow IT ML demos are a common blind spot.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Data Leakage Framework AML.T0025 - Exfiltration via Cyber Means AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2 - AI system security controls

NIST AI RMF

MANAGE 2.2 - Mechanisms are in place to sustain the value of deployed AI systems

OWASP LLM Top 10

LLM02:2025 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2024-51751?

Any authenticated user of a Gradio deployment (versions 5.0.0–5.4.x) can read arbitrary files from the server filesystem via the File or UploadButton components. In AI/ML environments this typically means API keys, .env files, and model configs are at risk. Upgrade to 5.5.0 immediately — no workarounds exist.

Is CVE-2024-51751 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-51751, increasing the risk of exploitation.

How to fix CVE-2024-51751?

1) Upgrade to Gradio 5.5.0 — the only available fix, no workarounds exist per the advisory. 2) If upgrade is delayed, restrict network access via firewall rules to trusted IP ranges only. 3) Treat any Gradio instance with untrusted user access as potentially compromised — audit access logs for anomalous file requests via upload endpoints. 4) Rotate all credentials (API keys, tokens, DB passwords) accessible on affected servers. 5) Inventory all internal Gradio deployments; shadow IT ML demos are a common blind spot.

What systems are affected by CVE-2024-51751?

This vulnerability affects the following AI/ML architecture patterns: ML demo environments, model serving, internal ML tooling, RAG pipelines.

What is the CVSS score for CVE-2024-51751?

CVE-2024-51751 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.27%.

Technical Details

NVD Description

Gradio is an open-source Python package designed to enable quick builds of a demo or web application. If File or UploadButton components are used as a part of Gradio application to preview file content, an attacker with access to the application might abuse these components to read arbitrary files from the application server. This issue has been addressed in release version 5.5.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

Exploitation Scenario

An adversary gains low-privilege access to a shared Gradio demo (via a public URL or internal trial account). Using the File or UploadButton component, they issue requests with path traversal sequences — e.g., `../../.env` or `../../../root/.ssh/id_rsa` — to read files outside the intended directory. In a typical ML environment this yields Hugging Face tokens, OpenAI or Anthropic API keys, or database credentials. The attacker then pivots: accessing model repositories on HuggingFace, cloud training infrastructure, or upstream data stores — turning a Medium-severity UI bug into a full credential compromise.